Cherwell application (on-prem)

[IAM David Bantz]

Yes, my understanding is that Windows client users are authenticated via
their domain login alone and that enabling that access without additional
prompt for credentials was the a "requirement" of our deployment. And yes,
that hinders implementing MFA for the Windows thick clients.

David

On Mon, Apr 29, 2019 at 9:53 AM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 4/29/19, 1:43 PM, "IAM David Bantz" <db at alaska.edu> wrote:
>
> > 1. Both thick (Windows) clients and web browser interface is supported.
> To support both as seamlessly as possible, our
> > AD team asked that we identify users of the web client with an
> identifier including the Windows domain, like
> > ua\username. This required  ginning up that identifier in
> attribute-resolver.xml
>
> We support SSO for both thick client and browser, and both use email
> address IDs just fine (not that I'm advocating it, but in practice email
> vs. domain naming is functionally the same, it's likely name based on just
> as good/bad as the other). It's SAML either way. If there's a domain login
> feature for the thick client (SPNEGO), we didn't use it, but that would be
> a probable reason for pushing the domain naming. It's also probably a bad
> choice, since it's a giant pain to support compared to browser-based login,
> and you lose MFA, etc.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190429/d73a268e/attachment.html>